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DYNAMICALLY MITIGATING A NONCOMPLIANT PASSWORD 



FIELD OF THE INVENTION 
[0001] The present invention generally relates to computer security with password rules 
enforcement. The invention relates more specifically to dynamically mitigating a 
noncompliant password. 

BACKGROUND 

[0002] The approaches described in this section could be pursued, but are not necessarily 
approaches that have been previously conceived or pursued. Therefore, unless otherwise 
indicated herein, the approaches described in this section are not prior art to the claims in this 
application and are not admitted to be prior art by inclusion in this section. 
[0003] One type of computer system provides the ability to authenticate, authorize, and 
account (AAA) for users accessing computer services in the system on a network. The AAA 
services provide security to ensure that legitimate users are accepted, their access is 
controlled with authorization parameters, and their behaviors are tracked and audited with 
accounting. The AAA services also attempt to ensure that unknown or illegitimate users can 
be blocked. AAA services may be used in network systems, where the AAA service may be 
a separate process or physical device such as an access control server, or may be used in 
computer systems, where the AAA service is a thread or programming module running as 
part of a computer system on one or more physical machines. To protect users from entering 
"weak" or guessable passwords, some AAA systems retain password rules. These rules 
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require certain password lengths, special characters, or other requirements for user 
passwords, thereby ensuring that only "strong" passwords are used. 
[0004] A problem with the approach is that these systems help protect against weak 
passwords, but do so only at the time of password creation. Therefore, if password rules 
change, there is no way to ensure compliance of the passwords that are already in the 
repository. There is no batch mechanism to apply password rules to hundreds or thousands 
of passwords or to change out-of-compliance passwords that already exist in the system. 
[0005] AAA servers may proxy authentication to other services or servers. For example, 
the AAA server may proxy an Oracle™ database server and an application-licensing server 
each running on separate physical machines. Each of the services may have its own 
password policy or security policy, may have different password policies based on the role of 
the user (e.g. administrator, guest, etc.), and may change its password policies over time. A 
second problem with the approach is that the AAA system has no mechanism for enforcing 
different security or password policies based on which service is being accessed, role of the 
user, or newly defined password rules. 

[0006] Therefore, there is clearly a need for techniques to ensure that mitigating action is 
taken when passwords in the repository are not compliant with applicable security or 
password policy. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

[0007] The present invention is illustrated by way of example, and not by way of 
limitation, in the figures of the accompanying drawings and in which like reference numerals 
refer to similar elements and in which: 

[0008] FIG. 1 is a block diagram that illustrates an overview of a system for dynamically 
mitigating a noncompliant password. 

[0009] FIG. 2A is a flow diagram that illustrates a high level overview of one 
embodiment of a method for dynamically mitigating a noncompliant password. 
[0010] FIG. 2B is a flow diagram that illustrates examples of performing a responsive 
action to a password not being of sufficient quality. 

[0011] FIG. 3 is a block diagram that illustrates a computer system upon which an 
embodiment may be implemented. 
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DETAILED DESCRIPTION 

[0012] A method and apparatus for dynamically mitigating a noncompliant password is 
described. In the following description, for the purposes of explanation, numerous specific 
details are set forth in order to provide a thorough understanding of the present invention. It 
will be apparent, however, to one skilled in the art that the present invention may be 
practiced without these specific details. In other instances, well-known structures and 
devices are shown in block diagram form in order to avoid unnecessarily obscuring the 
present invention. 

[0013] Embodiments are described herein according to the following outline: 

1 .0 General Overview 

2.0 Structural Overview 

3.0 Functional Overview 

4.0 Implementation Mechanisms — Hardware Overview 

5.0 Extensions and Alternatives 



1 .0 GENERAL OVERVIEW 

[0014] The needs identified in the foregoing Background, and other needs and objects 
that will become apparent for the following description, are achieved in the present 
invention, which comprises, in one aspect, a method dynamically mitigating a noncompliant 
password by obtaining a password from a user when the user attempts to access a service; 
determining whether the password meets quality criteria; and if the password does not meet 
the quality criteria, performing one or more responsive actions that relate to accessing the 
service. 
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[0015] In a related feature, the step of performing one or more responsive actions that 
relate to accessing the service includes, if the password meets the quality criteria, granting to 
the user a first level of access to the service, where the first level of access to the service is 
associated with the quality criteria; if the password meets a second quality criteria, granting 
to the user a second level of access to the service, where the second level of access to the 
service is associated with the second quality criteria, where the second quality criteria is 
distinct from the quality criteria and where, if a particular password meets the quality criteria, 
then the password meets the second quality criteria. 

[0016] In a related feature, the step of performing one or more responsive actions that 
relate to accessing the service may include performing one or more of logging information 
related to the password; sending a report about the password; generating an alert about the 
password; forcing a password change; or blocking the user's access to the service. In a 
related feature, the method further includes, if the password does meet the quality criteria, 
providing user access to the service. 

[0017] In a related feature, the step of determining whether the password meets quality 
criteria includes one or more of the steps of performing a dictionary look-up based on the one 
or more symbols used in the password; checking the length of the one or more symbols used 
in the password; checking the number of unique characters of the one or more symbols used 
in the password; checking the case of the characters in the one or more symbols used in the 
password; checking the sequencing of characters in the one or more symbols used in the 
password; or performing statistical analysis based on the one or more symbols used in the 
password. 

[0018] In a related feature, the step of performing one or more responsive actions that 
relate to accessing the service includes logging information related to the password. In a 
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related feature, the step of performing one or more responsive actions that relate to accessing 
the service includes sending a report about the password. In a related feature, the step of 
performing one or more responsive actions that relate to accessing the service includes 
generating an alert about the password. In a related feature, the step of performing one or 
more responsive actions that relate to accessing the service includes forcing a password 
change. In a related feature, the step of performing one or more responsive actions that relate 
to accessing the service includes blocking the user's access to the service. 
[0019] In a related feature, obtaining the password from the user includes obtaining the 
password from the user via a graphical user interface. In a related feature, obtaining the 
password from the user includes obtaining the password from the user via an electronic 
interface. In a related feature, the method further includes the step of determining a quality 
score for the password, and where the step of determining whether the password meets 
quality criteria includes comparing the quality score to a predefined threshold value. 
[0020] In a related feature, the method further includes obtaining the password from a 
repository of passwords; making a first determination whether the password meets quality 
criteria; and storing in a particular machine-readable medium an indication of the first 
determination for the password; where the step of determining whether the password meets 
quality criteria includes accessing the particular machine-readable medium. 
[0021] In a related feature, the step of obtaining the password includes obtaining the 
password from a particular user, the particular user is associated with a particular user role, 
and where determining whether the password meets quality criteria includes determining 
whether the password meets quality criteria for the particular user role. In a related feature, 
determining whether the password meets the quality criteria includes determining whether 
the password meets quality criteria for the service. 
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[0022] In a related feature, the step of obtaining the password includes an access service 
obtaining the password from the user when the user attempts to access the service, where the 
access service includes machine executable instructions executing on a particular machine, 
and the service includes machine executable instruction executing on the same particular 
machine. In a related feature, the step of obtaining the password includes an access service 
obtaining the password from the user when the user attempts to access the service, where the 
access service includes machine executable instructions executing on a first machine and the 
service includes machine executable instructions executing on a second machine, where the 
first machine is distinct from the second machine. 

[0023] In other aspects, the invention encompasses a computer apparatus and a machine- 
readable medium configured to carry out the foregoing steps. 

2.0 STRUCTURAL OVERVIEW 

[0024] FIG. 1 is a block diagram that illustrates an overview of a system for dynamically 
mitigating a noncompliant password. 

[0025] A user 101 is communicatively coupled to an access service 150. The user 101 
may be a human, a human operating a logical machine, or a physical machine. The access 
service 150 is communicatively coupled to a log 135, services 120a and 120b, and an 
authentication and authorization service 1 10. The authentication and authorization service 
1 10 is also communicatively coupled to a log 136. In various embodiments, the coupling is 
accomplished by optical, infrared, or radio signal transmission, direct cabling, wireless 
networking, local area networks (LANs), wide area network (WANs), the Internet, or any 
appropriate communication mechanism. 
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[0026] The access service 1 50 may be communicatively coupled to a log 1 35, and the 
authentication and authorization service 110 may be communicatively coupled to a log 136. 
In various embodiments, the logs 135, 136 are databases, flat files, data structures, or any 
other appropriate storage means. The access service 150 may store information related to 
activity at the access service 150 in the log 135. Similarly, the authentication and 
authorization service 1 10 may store information related to activity at the authentication and 
authorization service 1 10 in the log 136. 

[0027] The access service 150, services 120a and 120b, and authentication and 
authorization service 1 10 may each be implemented on a logical machine. Each logical 
machine may run on separate physical computing machines or may run on the same physical 
computing machine as one or more of the other logical machines. Each logical machine may 
run as a separate process on the same physical machine. Logical machines may comprise 
one or more computer programs or other software elements. One or more of the logical 
machines may run as part of the same process or thread on the same physical machine. 
Various embodiments of computers and other physical machines are described in detail 
below in the section entitled Hardware Overview. 

[0028] In various embodiments, the access service 150 comprises or is hosted by a 
wireless access point, a virtual private network device, a network access server, a switch, a 
router, or any other appropriate device. In other embodiments, the access service 150 is a 
computer program module, embedded machine instructions, or any other appropriate service. 
In one embodiment, the access service 150 is a Cisco Secure Access Control Server. 
[0029] For example, a computer program running on a computer may provide 
programming modules for access service 150, services 120a and 120b, and authentication 
and authorization service 1 10 as part of a single computer program to control access to 
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services 120a and 120b. The computer program may control the access of a user 101 by 
proving an access service 150 to retrieve a username and password when the user 101 tries to 
access the either of services 120a and 120b, and an authentication and authorization service 
1 10 to determine the validity of the username and password. 

[0030] As another example, the access service 150 may be a wireless access point that 
controls access to services 120a and 120b on the wireless network, and the authentication and 
authorization service 1 10 is an Authentication, Authorization, and Accounting server. A 
user 101 is a supplicant attempting to access the service 120a. The wireless access point 150 
obtains a username and password from the supplicant 101 and the AAA server 1 10 
authenticates and authorizes the supplicant 101. If the supplicant 101 is successfully 
authenticated and authorized, the wireless access point 150 provides the supplicant 101 
access to the service 120a. In one embodiment, the access service 150 provides a graphical 
user interface (GUI) 151 to the user 101 and the user 101 is communicatively coupled to the 
access service 150 via the GUI 151. 

[0031] In other embodiments, the authentication and authorization service 1 10 or a 
process thereto communicatively coupled provides the GUI 151 to the user. In various 
embodiments, a graphical user interface 151 is provided to a user 101 via a computer 
program running on a machine accessible to the user, via a hypertext transfer protocol 
(HTTP), secure HTTP (HTTPS), or file transfer protocol (FTP) server, via an rsync gateway, 
via a HTML or XML browser, or any appropriate means. 

[0032] Alternatively, the user 101 may be provided an electronic interface 152. In 
various embodiments, the electronic interface 152 comprises a HTTP server or client, a 
HTTPS server or client, a FTP server or client, an rsync gateway, Transmission Control 
Protocol (TCP) / Internet Protocol (IP) sockets, Universal Datagram Protocol (UDP) sockets, 
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or any other appropriate communication means. Alternatively, the electronic interface 152 
may include a remote procedure call interface, a Java Remote Method Invocation interface, 
or any other remote interface. In related embodiments, the electronic interface 152 allows 
communications to be formatted in a proprietary format, Extensible Markup Language 
(XML), Hypertext Markup Language (HTML), or any other appropriate format. In one 
embodiment, the access service 150 provides an electronic interface 152, and the user 101 is 
communicatively coupled to the access service 150 via the electronic interface 152. In other 
embodiments, the authentication and authorization service 1 10 or a process thereto 
communicatively coupled provides the electronic interface 152. 

3.0 FUNCTIONAL OVERVIEW 

[0033] FIG. 2A is a flow diagram that illustrates a high level overview of one 
embodiment of a method for dynamically mitigating a noncompliant password. 
[0034] In step 210, a password is obtained. A password may be obtained from a user by 
an access service when the user attempts to access a particular service, the access to which is 
controlled by the access service. In various embodiments, obtaining a password includes 
receiving a password from the user via a graphical or electronic interface. For example, in 
the context of FIG. 1, an access service 150 obtains a password from a user 101 when the 
user attempts to access a service 120a, the access service 150 provides to the user 101a GUI 
1 5 1 into which a human user may type a username and password. As another example, in 
the context of FIG. 1, a user 101 is a machine attempting to access a service 120a. The 
access service 150 provides an electronic interface 152 to the user 101. The user 101 
provides the password to the access service 150 via the electronic interface 152. 
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[0035] In step 220, the quality of the password is determined. In various embodiments, 
determining the quality of a password includes performing a dictionary lookup on the 
password, checking the length of the password, checking the number of unique characters in 
the password, checking the mixing of cases in the password, checking the sequencing of the 
characters in the password, performing a statistical analysis of the password, or any other 
appropriate check. See for example the "Department of Defense Password Management 
Guideline", CSC-STD, 85-002, Department of Defense Computer Security Center, 1986. 
[0036] In one embodiment, one or more quality scores are generated for the password. In 
a related embodiment, the one or more quality scores are generated after the password is 
obtained in step 210. Alternatively, the one or more quality scores may be generated before 
the password is obtained in step 210. For example, in the context of FIG. 1, an 
authentication and authorization service 110 determines the quality scores of one or more 
passwords, including a particular password, each time there is a change to the password 
policy for the authentication and authorization service 110. When the access service 150 
sends the particular password to the authentication and authorization service 1 10, the 
authentication and authorization service 1 10 performs a check of the quality of the password 
by retrieving from a machine-readable medium the latest quality score determined for the 
particular password. 

[0037] In step 230, a test is performed to determine whether the password is of sufficient 
quality. Testing to determine whether the password is of sufficient quality may include 
comparing a quality score generated in step 220 to a predetermined value or a set of 
predetermined values. For example, a quality score generated in step 220 may be compared 
to a force-password-change threshold value and an alert threshold value, where the force- 
password-change value is lower than the alert value. If the quality score generated in step 
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220 is below the force-password-change threshold value, then the user is forced to change the 
password in step 240 (described below). If the quality score generated in step 220 is above 
the force-password-change threshold value, but below the alert value, then the user is notified 
that the password should be changed (in step 240), or a log record is created, but a change is 
not forced. 

[0038] In various embodiments, determining whether the password is of sufficient 
quality includes determining the role of the user or the access that the user is permitted for 
the service. A user may be associated with a role such as administrator, user, or guest. Each 
role may have associated with it a different password strength requirement. For example, a 
password for a user with the role of "administrator" may need to be stronger than a password 
for the role of user. A password for a user with the role of "guest" may not need to be as 
strong as passwords for users in the role of admin or user. 

[0039] In one embodiment, an access service controls access to multiple services. In 
such an embodiment, the password strength for each service may be different. 
Consequentially, a password may be of high-enough quality for one service, but not for 
another service. For example, in the context of FIG. 1, an access service 150 controls access 
to two services 120a and 120b. When a user 101 attempts to access the first service 120a 
(e.g. a web server providing an intranet containing company news), the access service 150 
determines that the password provided by the user 101 is of high-enough quality. If the same 
user 101 then attempts to access a second service 120b (e.g. a database of employee 
information), then the access service 150 performs a check and determines that the password 
is not of high-enough quality and takes further action in step 240. These processes may be 
performed if the password is obtained at the time each service is accessed, or if the password 
is obtained once before both accesses. 
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[0040] If the password is determined to have sufficient quality in step 230, then in step 
235, the method for dynamically mitigating a noncompliant password is ended. In various 
embodiments, ending the process of dynamically mitigating a noncompliant password 
includes granting the user access to a service or passing control to another process or 
machine to further validate the user. For example, in the context of FIG. 1, if the password 
given by a user 101 is determined sufficient in step 230, then in step 235, the user 101 is 
granted access to the service 120a. 

[0041] If the password is determined insufficient in step 230, then in step 240 an 
appropriate action is performed to respond to the password quality. Performing an 
appropriate action in response to password quality is described in more detail below with 
respect to FIG. 2B. 

[0042] FIG. 2B is a flow diagram that illustrates examples of performing a responsive 
action to a password not being of sufficient quality. 

[0043] In various embodiments, performing the appropriate action 240 includes logging 
information related to the password 242, sending a report about the password 244, generating 
an alert about the password 246, forcing a password change 248, blocking the user's access 
to the service 250, changing access levels or types 252, or any other appropriate action. In 
related embodiments, the action taken is based on a quality score determined during step 220. 
[0044] In one embodiment, logging information related to the password 242 may include 
writing information to a log file, database, or any machine-readable medium about the 
password, its strength, the checks performed on the password, the user, the user's role, or the 
service to which the user was attempting to gain access. For example, in the context of FIG. 
1, a user 101 attempts to access a service 120a via an access service 150. The access service 
150 determines that the password is not of very high quality, but is of high-enough quality to 
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not force the user to change the password. The access service 150 then writes an entry to its 
log 135 as part of step 242. The entry in the log 135 may later be used by an automated 
process or a human operator to perform an "audit" of the strength of passwords that have 
been seen by the access service 150. 

[0045] In various embodiments, the action taken in step 240 is to send a report to the 
user, to a system administrator, or to any appropriate party (step 244). The report may 
include information related to the user, the password, the checks performed on the password, 
the service, or any other appropriate information. For example, in the context of FIG. 1, a 
password is provided by a user 101 to access service 150, and the access service 150 
provides the password to an authentication and authorization service 1 10. The authentication 
and authorization service 110 determines that the password is not of high-enough quality. In 
response to the password not being of high-enough quality, the authentication and 
authorization service 1 10, as part of step 244, sends a report to a network administrator 
indicating that the password for the particular user 101 is not of high-enough quality. The 
report may be an email, one or more entries in a database, an instant message, etc. 
[0046] In one embodiment, in step 240 an alert about the password is generated (step 
246). In various embodiments, the alert is provided to the user, to an administrator or to a 
machine. For example, in the context of FIG. 1, after an authentication and authorization 
service 110 performs a check on a user's 101 password, the authentication and authorization 
service 1 10 may provide, as part of step 246, an alert indicating that the password is not of 
high enough quality and should be changed by the user. As another example, upon detection 
of a password that is not of high-enough quality, an alert may be sent to an administrator or 
machine that may later require the user 101 to provide a new password. 



50325-0874 (Seq. No. 8660) 



14 



[0047] Step 240 may include forcing a password change (step 248) upon detection that 
the password does not meet the predefined criteria. In a related embodiment, the user is then 
prompted to enter a new password. In one embodiment, a check is performed to determine 
whether the new password meets the predefined criteria and, if the new password does not, 
then the new password is not accepted. In one embodiment, once a user has entered a 
password that meets the predefined criteria, the password is stored, and the user is granted 
access to the service. For example, in the context of FIG. 1, if an authentication and 
authorization service 110 determines that the password for a user 101 is not of high-enough 
quality, then the authentication and authorization service 110 informs the access service 150 
about the quality determination. The access service 150 then requires the user 101 to enter a 
new password as part of step 248. If the new password does not meet the predefined criteria 
for quality, then the access service 150 may require the user 101 to continue entering 
different passwords until one of the passwords meets the quality criteria. Once the user 101 
has entered a password that meets the quality criteria, the user 101 is granted access to the 
service 120a. 

[0048] In one embodiment, step 240 includes blocking the user's access to the service 
(step 250). In a related embodiment, in addition to the user's access being blocked, the user 
is informed that there is a requirement to change the password used to access the particular 
service to make it of high-enough quality in order to regain access to the service. For 
example, in the context of FIG. 1, an access service 150 blocks a user's 101 access to a 
service 120a (step 250) and indicates that the user 101 must perform a password change and 
provides instructions on how to change the password. In one alternative, the user may be 
instructed about how to improve password quality. 
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[0049] In one embodiment, step 240 includes changing access levels or types (step 252). 
In a related embodiment, if a user's password does not have a level of quality above a first 
predefined quality level, but does have a level of quality above a second predefined quality 
level, where the first predefined quality level is higher than the second predefined quality 
level, then the user is provided the lower level of access associated with the second 
predefined quality level. In a related embodiment, if the user's password has a level of 
quality above the first predefined quality level, then the user is provided a higher level of 
access associated with the first predefined quality level. For example, in the context of 
FIG. 1, an access service 150 determines that a user's 101 password is better than a "guest 
password" level of quality, but is not better than an "administrator" level of quality. 
Consequently, the access service 150 provides the user 101 with guest privileges to the 
services it controls - where the guest level privileges are a subset of the privileges provided 
at administrator level ("administrator privileges"). If a second user 101 logs in with a 
password that meets the higher, administrator level of quality, then the second user 101 is 
provided with administrator privileges. 

[0050] Various embodiments described with respect to FIG. 2A and FIG. 2B enable 
dynamic enforcement of password schemes. Other embodiments described with respect to 
FIG. 2A and FIG. 2B enable dynamic mitigation of passwords that do not meet predefined 
criteria. The embodiments described herein enable one to make and use a system where a 
password scheme may be dynamically enforced (or used to mitigate password quality) based 
on user role or based on the service to which a user wishes to gain access. 
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4.0 IMPLEMENTATION MECHANISMS - HARDWARE OVERVIEW 
[0051] FIG. 3 is a block diagram that illustrates a computer system 300 upon which an 
embodiment of the invention may be implemented. Computer system 300 includes a bus 302 
or other communication mechanism for communicating information, and a processor 304 
coupled with bus 302 for processing information. Computer system 300 also includes a main 
memory 306, such as a random access memory ("RAM") or other dynamic storage device, 
coupled to bus 302 for storing information and instructions to be executed by processor 304. 
Main memory 306 also may be used for storing temporary variables or other intermediate 
information during execution of instructions to be executed by processor 304. Computer 
system 300 further includes a read only memory ("ROM") 308 or other static storage device 
coupled to bus 302 for storing static information and instructions for processor 304. A 
storage device 310, such as a magnetic disk or optical disk, is provided and coupled to bus 
302 for storing information and instructions. 

[0052] Computer system 300 may be coupled via bus 302 to a display 312, such as a 
cathode ray tube ("CRT"), for displaying information to a computer user. An input device 
314, including alphanumeric and other keys, is coupled to bus 302 for communicating 
information and command selections to processor 304. Another type of user input device is 
cursor control 316, such as a mouse, trackball, stylus, or cursor direction keys for 
communicating direction information and command selections to processor 304 and for 
controlling cursor movement on display 312. This input device typically has two degrees of 
freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to 
specify positions in a plane. 

[0053] The invention is related to the use of computer system 300 for dynamically 
mitigating a noncompliant password. According to one embodiment of the invention, 
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dynamically mitigating a noncompliant password is provided by computer system 300 in 
response to processor 304 executing one or more sequences of one or more instructions 
contained in main memory 306. Such instructions may be read into main memory 306 from 
another machine-readable medium, such as storage device 310. Execution of the sequences 
of instructions contained in main memory 306 causes processor 304 to perform the process 
steps described herein. In alternative embodiments, hard-wired circuitry may be used in 
place of or in combination with software instructions to implement the invention. Thus, 
embodiments of the invention are not limited to any specific combination of hardware 
circuitry and software. 

[0054] The term "machine-readable medium" as used herein refers to any medium that 
participates in providing instructions to processor 304 for execution. Such a medium may 
take many forms, including but not limited to, non- volatile media, volatile media, and 
transmission media. Non- volatile media includes, for example, optical or magnetic disks, 
such as storage device 310. Volatile media includes dynamic memory, such as main memory 
306. Transmission media includes coaxial cables, copper wire and fiber optics, including the 
wires that comprise bus 302. Transmission media can also take the form of acoustic or light 
waves, such as those generated during radio wave and infrared data communications. 
[0055] Common forms of computer-readable media include, for example, a floppy disk, a 
flexible disk, hard disk, magnetic tape, or any other magnetic medium, a CD-ROM, any other 
optical medium, punchcards, papertape, any other physical medium with patterns of holes, a 
RAM, a PROM, and EPROM, a FLASH-EPROM, any other memory chip or cartridge, a 
carrier wave as described hereinafter, or any other medium from which a computer can read. 
[0056] Various forms of computer readable media may be involved in carrying one or 
more sequences of one or more instructions to processor 304 for execution. For example, the 
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instructions may initially be carried on a magnetic disk of a remote computer. The remote 
computer can load the instructions into its dynamic memory and send the instructions over a 
telephone line using a modem. A modem local to computer system 300 can receive the data 
on the telephone line and use an infrared transmitter to convert the data to an infrared signal. 
An infrared detector can receive the data carried in the infrared signal and appropriate 
circuitry can place the data on bus 302. Bus 302 carries the data to main memory 306, from 
which processor 304 retrieves and executes the instructions. The instructions received by 
main memory 306 may optionally be stored on storage device 310 either before or after 
execution by processor 304. 

[0057] Computer system 300 also includes a communication interface 3 1 8 coupled to bus 
302. Communication interface 318 provides a two-way data communication coupling to a 
network link 320 that is connected to a local network 322. For example, communication 
interface 318 may be an integrated services digital network ("ISDN") card or a modem to 
provide a data communication connection to a corresponding type of telephone line. As 
another example, communication interface 318 may be a local area network ("LAN") card to 
provide a data communication connection to a compatible LAN. Wireless links may also be 
implemented. In any such implementation, communication interface 318 sends and receives 
electrical, electromagnetic or optical signals that carry digital data streams representing 
various types of information. 

[0058] Network link 320 typically provides data communication through one or more 
networks to other data devices. For example, network link 320 may provide a connection 
through local network 322 to a host computer 324 or to data equipment operated by an 
Internet Service Provider ("ISP") 326. ISP 326 in turn provides data communication services 
through the worldwide packet data communication network now commonly referred to as the 
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"Internet" 328. Local network 322 and Internet 328 both use electrical, electromagnetic or 
optical signals that carry digital data streams. The signals through the various networks and 
the signals on network link 320 and through communication interface 318, which carry the 
digital data to and from computer system 300, are exemplary forms of carrier waves 
transporting the information. 

[0059] Computer system 300 can send messages and receive data, including program 
code, through the network(s), network link 320 and communication interface 318. In the 
Internet example, a server 330 might transmit a requested code for an application program 
through Internet 328, ISP 326, local network 322 and communication interface 318. In 
accordance with the invention, one such downloaded application provides for dynamically 
mitigating a noncompliant password as described herein. 

[0060] The received code may be executed by processor 304 as it is received, and/or 
stored in storage device 3 10, or other non- volatile storage for later execution. In this manner, 
computer system 300 may obtain application code in the form of a carrier wave. 

5.0 EXTENSIONS AND ALTERNATIVES 

[0061] In the foregoing specification, the invention has been described with reference to 
specific embodiments thereof. It will, however, be evident that various modifications and 
changes may be made thereto without departing from the broader spirit and scope of the 
invention. The specification and drawings are, accordingly, to be regarded in an illustrative 
rather than a restrictive sense. 
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